Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Pinterest Fixes Validation Vulnerability in API

Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks.

Pinterest recently fixed an issue in the API of its web app that could have allowed remote attackers to compromise emails and carry out session hijacking and phishing attacks.

Vulnerability Lab researcher Benjamin Kunz Mejri discovered the issue, which is a persistent mail encoding and validation web vulnerability shortly after the start of the year. While developers with Pinterest were actually speedy in fixing the issue – they issued a patch in February, two weeks after Mejri notified them of the bug – the vulnerability wasn’t disclosed until Monday.

The issue was in located in Pinterest’s API, in the `contact_name` value of User Profile scheme. Upon registration, an attacker could compromise user emails or random mails with their own malicious script.

“After the inject of malicious script code the service stores the account in the database management system,” reads part of the disclosure, “The attack vector of the issue is located on the application-side of the online service and the request method to inject is POST.”

Remote attackers could register with Pinterest using random mails without verification and then send malicious ‘Pins’ to users. If successful the exploit could result in:

Session hijacking

Persistent phishing attacks

Persistent redirect to external sources

Persistent manipulation of affected or connected module context.

Mejri claims that before it was fixed, exploitation of the vulnerability required a low privilege Pinterest account with low user interaction and that the vulnerability could have been exploited by local and remote attackers alike.

The photo sharing app, which allows users to share “pins” and maintain “pinboards,” received some flak when it first started the program and only offered researchers t-shirts and a mention in its bounty hall of fame as prizes. In March the company embraced HTTPS and subsequently upped the ante for its bug bounty program. Now Pinterest pays between $25 to $200 for bugs in its developer site, API, iOS and Android mobile applications although neither Pinterest nor Mejri specified exactly how much his vulnerability was worth.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.